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Contextual type theory distinguishes between bound variables and meta- variables to write potentially 
incomplete terms in the presence of binders. It has found good use as a framework for concise 
explanations of higher-order unification, characterize holes in proofs, and in developing a foundation 
for programming with higher-order abstract syntax, as embodied by the programming and reasoning 
environment Beluga. However, to reason about these applications, we need to introduce meta^- 
variables to characterize the dependency on meta-variables and bound variables. In other words, we 
must go beyond a two-level system granting only bound variables and meta-variables. 

In this paper we generalize contextual type theory to n levels for arbitrary «, so as to obtain a 
formal system offering bound variables, meta-variables and so on all the way to meta"-variables. We 
obtain a uniform account by collapsing all these different kinds of variables into a single notion of 
variabe indexed by some level k. We give a decidable bi-directional type system which characterizes 
JSt] -normal forms together with a generalized substitution operation. 



1 Introduction 

A core problem when describing computations and proofs is the need to model unknown entities. The 
standard approach is to introduce meta-variables that one can use in place of concrete evidence that might 
not yet be available. Consider for example the development of the proof for 'ix3y.P{x,x) A Q{x,x) D 
Q{y,x) f\P{x,y) in a proof assistant. Working from the goal formula, we first introduce a parameter a and 
subsequently introduce a meta- variable Y for y which may depend on a. We can describe the intermediate 
subgoal we must now solve as: P{a,a) A Q{a,a) D Q{Ya,a) f\P(Ya,a). At a later point in the proof, we 
may realize through (higher-order) unification that a is a good instantiation for Y giving us an trivially 
provable goal. The question we address in this paper is how to describe formally the incomplete proof 
state we are in prior to finding instantiations for 7. Clearly, the missing proof term we want to construct 
depends on the meta-variable Y and the parameter a bound in the context. We hence need to introduce 
meta^ -variables to describe it. 

A similar situation arises in the Beluga programming and reasoning environment |fT6l[T7l . Recursive 
programs in Beluga analyze and manipulate meta-objects of type A[*F], i.e. objects which have type A in 
a bound variable context *P. For example, [x:i] aiii Ay. audi (F x y) (F y x) describes the derivation 
of the formula 'iy.P{y,x) f\P{x,y) where F itself stands in lieu of a description of the derivation which 
ends in P{y,x) in the context [x:i,y:i]. Note that the meta-variable F is bound: if we pattern match on 
the LF object, then F is introduced and bound in the branch or it is bound explicitely at the outside by 
an abstraction. We hence have two different kinds of bound variables in the LF object. In Beluga, we 
can write underscores anywhere in an LF object and let type-reconstruction find the correct instantiation. 
For example, to describe an incomplete derivation where we omit the second argument to andi, we may 
write [x:i] aiii ly. andi (F x y) _ . During type reconstruction, the underscore will be replaced by a 
meta^ -variable to express the fact that we may use the meta-variable F or the bound variables x and y. 
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Contextual type theory |[T4l provides both bound variables and meta-variables, complete with a log- 
ical foundation for reasoning about them. Up to now it has been used to explain higher-order unification 
|[T8l i2l. characterize concisely holes in proofs, and develop a foundation for programming with higher- 
order abstract syntax as found in the Beluga programming and reasoning environment |[T6l [TTl . This 
paper generalizes and extends contextual type theory lfT4l to an arbitrary number of levels of variables. 
Bound variables are of level 0, meta-variables are of level 1, meta^-variables are of level 2, and so on and 
so forth. This leaves us with a uniform treatment of contexts, variables and their associated substitution 
operations. Unlike earlier work sketched by Pfenning |[T5l for the simply typed case, we enforce that the 
context is ordered, i.e. if n > m, then variables of level n occur to the left of variables of level m. This 
will naturally enforce the correct dependency: variables of the higher level n cannot depend on the vari- 
ables of lower level m. We give a bi-directional type system to characterize jS-Tj-long normal forms and 
generalize the hereditary substitution operation to variables of arbitrary level. We prove the hereditary 
substitution to be terminating, prove that typing preserves the well-formedness of ordered contexts, and 
show bi-directional typing to be decidable for the multi-level system. 

This work is one step of the way towards streamlining and simplifying the implementation of Bel- 
uga, where we currently distinguish between bound variables, meta-variables, and meta^-variables. But 
more generally, this work can be used to formalize incomplete proofs that manipulate open proof objects 
containing meta-variables. This is important to scale tactic languages such as VeriML [20 1 where we 
manipulate meta-objects that may contain bound variables, or to reason about the tactics themselves. 
We envision down the line a multi-level Beluga, which would allow us to reason about and manipu- 
late Beluga programs within Beluga itself. This will provide a uniform framework where the proofs, 
the development of proofs using tactics, and the reasoning about tactics all share a common basis and 
supporting implementation. 

2 Language definition 
2.1 Syntax 

Contextual type theory was introduced by Nanevski et al fT4l and extended the logical framework LF |fT3]| 
with first-class meta-variables. Our work is a natural continuation of this work generalizing contextual 
types to multiple levels. Following Watkins et al flTl . the syntax is limited to expressing terms in jS- 
normal forms, which are sufficient for encoding the types and expressions of some logic or programming 
language as well as judgements and derivations pertaining to those types and expressions. We leave the 
development of a non-canonical version to future work. While the grammar below only enforces that 
objects are j8 -normal, the typing rules will also ensure objects are moreover in Tj-long form. 



Sorts 


s 


::= type kind 


Atomic Types/Kinds 


P,Q 


::= s\a\P{r.N) 


Normal Types/Kinds 


A,B,K 


::= P\Ux":A['i>"].B 


Atomic Terms 


R 


::= x"[a]\c\R{r.N) 


Normal Terms 


M,N 


::= R\Xx".M 


Substitutions 


a,T 


::= ■\a,r"-M\o,Ax' 


Contexts 




::= -l^X'M^"] 


Signature 


E 


::= ■\L,a:K\L,c:A 



Normal objects may contain variables x" which are bound by A -abstraction or declared in a context 
W. Variables are associated with a level n. The level n of a context *F is an upper bound on + 1 {x'^ € 
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dom(*P)}. In other words, we write when we know that all variables in *F are at levels strictly 
smaller than n. Unlike the superscript on variables, the superscript on contexts is purely a mnemonic 
convenience as this annotation can normally be inferred from information elsewhere wherever relevant, 
just as lambda-abstractions are not annotated with the domain type because that information is usually 
already available somewhere else. 

A variable ^ has type A[*I'"], i.e. it has type A in the context ^' of variables at levels lower than n. 
To put it differently, x" may refer to the (local) variables in and may also contain (global) variables 
of a higher level. If n = 0, we recover our ordinary bound variables of type A. The context will be 
dropped, because there is no context of level 0. Yet, A may refer to meta-variables or more generally, 
to variables at a higher level. Similarly, we can recover meta-variables which are of level 1 and have 
type A[*P^]. The context contains only variables of level 0, i.e. ordinary bound variables. Hence, 
locally meta-variables depend on ordinary bound variables, but they may also contain (global) variables 
of higher level (for example, meta^ -variables). A variable ;c" of type A[*F"] stands for an object ^".M 
where W lists the bound variables that may occur in M and again, the level n indicates that it may contain 
locally bound variables only up to level n. This is important information when the need arises to rename 
the locally bound variables occurring in M, to avoid captures for instance. 

As we navigate under binders, it may be necessary to substitute the bound variable for another one 
or for a term. Such substitutions get "stuck" at the level of meta-variables because there is no term 
to substitute in until the meta-variable is instantiated. In the core syntax we impose the invariant that 
all meta-variables standing for a term in a context *P be associated with a (simultaneous) substitution 
a such that the domain of a matches that of As such, given *P, it is not necessary to make the 
domain of substitutions explicit, as that information would be redundant. Intuitively, the i-th element in 
(7 corresponds to the j-th assumption in 'P. A postponed substitution o is appUed as soon as we know 
what y stands for and applying a with domain 'I' to a term M is written [(7]>pM . 

A substitution maps (canonical) terms for variables. But as we push this substitution under binders, 
the size of the context grows and so must that of the substitution. A term of the form (Ax.M)[(7] can 
be rewritten to (Ax.M[a']), where a' extends a by mapping the variable x to itself. However, recall 
that X by itself is not a meaningful term in our grammar — all variables are systematically paired with 
a simultaneous substitution. Without knowing the type for x, we cannot infer the appropriate identity 
substitution which would allow us to replace x by x[id]. Even if x[id] was made a valid syntactic object 
in our grammar, it is not guaranteed that x[id] is a canonical form at higher type (canonical forms are 
T7-long). Moreover, the property that a given term M inhabits a certain type is an extrinsic property of 
M and types should play no role when propagating substitutions. Since the type of a term and its free 
variables might not be known in general, it is thus not always possible to put x in j3T]-long normal form. 
We therefore allow extending substitutions with renamings of variables, such as in cy' = a,AX, which 
maps X to itself. 

Applications resemble the way substitutions are built. Using the typing rules as a guide, notice 
that being able to apply some atomic term R to some other term must mean the type of R denotes a 
function whose type must be of the shape Ih": A\^"].B. The function R then, expects an argument of 
type A , which can therefore only be of the shape M. It would make little sense to simply write 
M here, since M may contain "free" variables from ^F". Recall that all occurrences of the variables x" 
in M are associated with a postponed substitution c which will provide instantiations for the variables 
in To further bring home the connection to substitutions, consider /3 -reduction. EUminating a redex 
{Xx".N) (^P^-M) means substituting 4"'.M forx" in N, i.e. ^".M/:^]N. 
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2.2 Context operations 

Before moving to the typing rules, we explain the two necessary context manipulating operations: merg- 
ing and chopping. When checking the domain of a dependent function rbc":A[<I>"].B in context it will 
be necessary to drop some of the assumptions in *P and extend *P with O". To chop off all variables 
below level n from the context we write *Fl„. To merge two contexts *F and we write *F -H- <I>. 

As mentioned earlier, contexts must be sorted according to the level of assumptions ;c":A[*F"]. One 
should conceptualize this ordered context as a stack of subcontexts, one for each level of variables. Let 
^'{k) be the subcontext of with only assumptions of level k. Then, = l),»P(n-2), . . . ,*F(1). 

We opt here for a flattened presentation of this stack of contexts in order to simplify merging and chop- 
ping of stacks. 

However, keeping the context sorted comes at a cost: inserting new assumptions a:*^:A[<I>'^] must 
respect the invariant that contexts are always sorted. The flipside is that guaranteeing that merging two 
contexts respects well-formedness is much easier and chopping contexts is more efficient. With merging 
defined, insertion of a new assumption into a context is a special case, so we dispense with defining a 
separate operation. Merging and chopping contexts are defined inductively as follows: 



Merging contexts :*F -H- <I> = F 
• -H-O =0 
»F-H-- = W 

x« :A [r"] +f 3;^ :B [V''] = x" :A [P'] +h<^),y'' .B [F'^] \fk<n 
»P,x":A[r«] +f<I>,/:B[r'''] = (»F +f <I>,/:B[r''']),x":A[r"] otherwise 

Chopping contexts: m\„ = <I> 
■ I « — 

{^>,:^:A[^''])\n = ifk<n 

{^,^:A[^''])\n = ^,x^:A[^''] otherwise 

Merging of two independent contexts is akin to the merge step of the mergesort algorithm and there- 
fore inherits many of its properties. In particular, the merge of two sorted independent contexts is again 
a sorted context. It is also stable, in the sense that the relative positions of any two assumptions in or 
in is preserved in -H- 

The chopping operation allows us to drop all variable assumptions below a given index from a con- 
text. \fk <n, then ^^\n = ■■ Similar to the chopping and merging operation on contexts, we will need 
chopping and merging on the level of simultanous substitutions, written a|r" and a -H- p respectively. 
These operations will be defined in Section [231 on page [39] 



2.3 Typing rules 

We present in this section a bi-directional type system, capable of checking normal terms (resp. normal 
types) against a type (resp. sorts) and synthesizing types (resp. sorts) for atomic entities. The rules are 
given in Figure [T] When reading the rules bottom-up, assumptions are accumulated into the context *F 
at the left of the turnstile as we descend into multi-level objects, but it is sometimes necessary to restrict 
it using the previously defined operations. All typing judgments have access to a well-typed signature 
r where we store constants together with their types and kinds. However, signatures declare global 
constants and never change in the course of a typing derivation. Therefore the parameterization of the 
typing rules by the signature Z for constants is kept implicit. 
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*P h M <^= A Normal term M checks against type A 

*F h /? => A Neutral term R synthesizes type A 

*P h a Substitution a has domain 0" and range *P. 

The bi-directional rules can be understood as determining two mutually defined algorithms for in- 
ferring the type of an object and checking an object against a type. We always assume that *P and the 
subject (M, R, or a) are given, and that the contexts *F contains only canonical types and is well-formed. 
For checking M <;= A we also assume A is given and canonical, and similarly for checking a <I> we 
assume <I> is given and is well-formed. For synthesis R ^ A we assume R is given and we generate a 
canonical A. Similarly, at the level of types and contexts we have 

*F h A <^ 5 Type/Kind A is well-formed 
^' \- A ^ K Type A synthesizes kind K 
*P h O ctx Context <I> is well-formed in the context *F 
with corresponding assumptions on the constituents. 

As in Pure Type Systems, a type is well formed if its type is a sort. Whereas signatures might contain 
term-level and type-level constant declarations, we only allow declarations of sort type in contexts since 
abstractions and dependent function types may only abstract over terms, not types. 

Checking that types are well-kinded is bi-directional. To check that nj(;":A[<I>"].B is a well-formed 
type in the context *P, we check first that the context is well-formed in *P. We note that the assump- 
tions in <I>" should only have access to assumptions greater than or equal to n and checking that <I>" is 
well-formed in the context *P will amount to checking that 0" only depends on assumptions Next, 
we verify that A is well-kinded. Because of the dependency of types on terms, scopes over the type 
A. Consider for instance 

(r. cons nxxs) : (vecn)[r] 

where F = ?i:nat,x:bool,xs:vec n. The type of this instantiation for a meta-variable depends on the 
variable n bound in F. A may refer to the variables in O", but also to variables m where m>n from 
*P. Hence, we drop from *F all assumptions below n and merge the resulting context with O". Finally, 
we check that B is well-kinded in the context *F extended with the assumption x":A[<I>"]. We rely on the 
previously defined merging operation on contexts, to insert the assumption x":A[<I>"] at the appropriate 
position in *F. 

To check that atomic types are well-kinded, we synthesize their kind. For type constants, we simply 
look up their type in the signature £. The interesting case is the application rule. To synthesize the 
kind for P {^\N), we first synthesize the kind for P as njc":A[<I>"].A'. Subsequently, we check that N 
has type A. We again must be careful regarding the context. First, some renaming may be necessary to 
bring the locally bound variables described in <i>" in sync with the context. Moreover, we observe that all 
variables below n which occur in N and A refer to binding sites in <I>". All variables equal or greater than 
n which occur in N and A refer to binding sites in i.e. the context *P where we drop all assumptions 
below n. Finally, we must be careful to substitute <i>".A^ for x" in ^ in the resulting kind we return. 
Because our grammar only recognizes j8 -normal objects as syntactically well-formed, we must rely on 
hereditary substitution to hereditarily eliminate any redices as we instantiate variables in the target of the 
substitution. We annotate here the substitution with the type of A[<I>"]. This is only strictly necessary to 
ensure that hereditary substitutions terminate. We postpone the definition and discussion on hereditary 
substitutions for now and will revisit it in Section [231 

In the lambda-abstraction rule, we check that Xx".M has type nx":A[<I>"].B by inserting the new 
assumption x" :A [<!>"] at the appropriate position in *P and continuing to check that M has type B. Note 
that, without loss of generality, we implicitly assume here and everywhere else that x" ^ *F. This can 
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Atomic Types/Kinds 










r(a) 


= K 




P^rb;«:A [<!>"] 








»F h P (4>«.Af) 




Normal Types/Kinds 


\-A 









h P ^ type 



'I' h type <J= kind h P <j= type 

1'|„^<D" hA<s=type 'PhO'^ctx ^ Vr x^-A[^'']^ B ^ s 



Atomic Terms h M A 



»I'(;c") =A[<I>"] h C7 Z(c)=A "i! hR^Yh^:A[^%B l-Ar<^A 



>P hx"[a] ^ [a]<j>«A I'hc^A 
Normal Terms 



>yhj?^p p = j2 



^ hP (<I>".A^) ^ [<i>".A^/;c"]A[<i.'.]S 
»P+fx":A[<I>"] hM^B 



h Xj<".M ^Ux":A[<^"].B 



Substitutions »F h a ^ <I>" 



I* I- a,P.M 4= «I>",;c*:A[r*] 

*y h g ^ = [a],i>.(A[r^]) 



where a' = a\k -H- id(f*) 



Context well-formedness *F h ctx 



»F h <!)" ctx +h <I>«|^ ^ h A ^ type T|„ ^ <I)"|;t ^ ctx 
»F |-<I>",;c'=:A[r*] ctx 

Figure 1 : Typing rules for LF with contextual variables and context variables 



k <n 
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always be achieved by a-renaming. When we reach a normal object of atomic type, we synthesize a type 
Q and compare Q to the expected type P. Comparing two types reduces to checking structural equality 
between Q and P modulo renaming, since all types and terms are always in canonical form. The only 
minor complication arises when checking that two substitutions are equivalent. Because we may simply 
write x" for a variable of type A [4*"] or its expanded form, comparing two substitutions must take into 
account t] -contraction. 

To synthesize the type of a constant, we simply look up its type in the signature E. Term-level 
application R (^.N) follows the same ideas as type-level apphcations. The most interesting rule is the 
one for variables. To synthesize the type of a variable x" we retrieve its type A [<!>"] from W. Next, we 
check that the substitution a which is associated with maps variables from <I>" to Finally, we return 
the type of y [cr] which is [crJonA. 

A substitution g,P^.M checks against domain 4>",;c^:A[r*], if a checks against and in addition 
M is well-typed. As in the rules for applications, we must be a little careful about where variables in 
M are bound. M contains locally bound variables from F*^ as well as global variables from ^\k. We 
again restrict ^ to only contain variables above k, since all variables below k are bound in F. Next, we 
inspect the type dependencies. We note that F'^ is a well-formed context in O", although the typing rules 
will ensure F* only accesses declarations from ^"\k- Similarly, when applying o to F*^, we will ensure 
that a will be appropriately restricted (see the definition in the appendix) to only substitute for variables 
of level k and higher. Therfore, [c7]$'!(F*) yields a well-formed context in On the other hand, A 
is well-typed in the context <^"\k -H- F'^, however a has domain O". Simply applying a to A would be 
incorrect; instead, we restrict a to contain only the mappings for the variables in and map all the 
variables from F^ to themselves. This is written as [ij\k -H- id(r^)](<j>n|^_,_,_p»:). 

Checking the extension <7, a;k^ of a substitution by a variable involves looking up the declared type 
oi)^ va^ and compare it to the expected type. Because the expected type A [F*] was well-typed in «I>", 
we must verify that»P(x'^) = [a]<i>» (A[F^]). Note that [a]<i>„(A[F^]) = {[o\r,\^^\^^r,)A)[[o]^T\ 

Finally, we consider the rules that characterize well-formed contexts. In the typing rules discussed 
above, we are often given contexts ^> that are not closed but rather whose assumptions might depend on 
the ambient context ^. Since ^ is already assumed well-formed, we keep it to the left of the turnstile and 
write *P h <I>" ctx to mean <I> is a well-formed context at level n in context *P. An alternative would have 
been to have judgements of the form h F" ctx only and state that <I>" in *F is well-formed as h ^Fj^ -H- O". 
A context «I>",;c*^:A[F*^] is well-formed if •!>" is well-formed and A[4>*^] is well-typed. Again we must be 
careful about the dependency structure. The context F^ can refer to variables from 4>", but only at levels 
k<n. Moreover, any variable where n < m is declared in ^. 

2.4 Properties 

We begin by proving some properties about contexts and context merging and chopping. We first show 
that we can always increase the upper bound of a context. 

Lemma 1 (Cumulativity). 7f*F h <I>" ctx and n <k then *F h O*' ctx. 

Next, we show that merging produces well-formed contexts, if both contexts are independent. 

Lemma 2 (Closure under independent context merging), 
//■hi*" ctx aw/ ■ h ctx then ■ h +\- «D*)«°ax(n,*) ^tx. 

More importantly, if we extend a context with a context ^ where h <3>* ctx, the resulting con- 
text -H- is well-formed. This lemma is crucial to ensure that we work with well-formed contexts 
during typing. 
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Lemma 3 (Well-formed context extension). 

If h ctx and W h ctx then ■ h {W +f 0<^)max{«,*:) 

Lemma 4 (Closure under chopping), /f- h ctx then ■ h {^\n)'^ ctx. 
Lemma 5 (Weakening, Identity). 

1. h J then +f x":A[<I>"] h /. 

2. Le? = ;t":A[<I>"] denote the subcontext C *P of assumptions at level n. We have that 
^> h»F(?i). 

Lemma 6 (Well-formedness of contexts at level k). *P h ctx iff'^\k l~ ctx. 



2.5 Hereditary Substitution 

Normal terms are not closed under vanilla substitution, a rather problematic matter of fact given that our 
syntax can only express normal forms. For example, when replacing naively x by Xy.c y in the object x z, 
we would obtain {Xy.c y) z- It is essential therefore to iron out as we go any redices we might create as 
a result of substituting terms for variables. We hence follow I2TI in defining a hereditary substitution, 
which does just that. That hereditary substitutions always terminate on well-typed normal terms is crucial 
to ensuring that our typing rules are decidable. In the above example, hereditary substitutions continue 
to substitute z for j in c j to obtain c z as a final result. This idea scales to our setting, but we must be 
careful to observe the scope of variables. 

Hereditary substitution are defined structurally considering the term to which the substitution opera- 
tion is applied and the type of the object which is being substituted. The type is only needed to construct 
evidence of termination. We define the hereditary substitution operations for types, normal object, neutral 
objects, substitutions, and contexts. 

In the formal development it is simpler if we can stick to the structure of the example above and 
use only non-dependent types in hereditary substitutions. This suffices because we only need to know 
whether we have encountered a function which can be reduced further or whether we have reached 
an object of base type and reduction will terminate. We therefore first define type approximations a 
and an erasure operation ()^ that removes dependencies. Before applying any hereditary substitution 
[<!>". A^/;(;"]^[<i>«](M) we first erase dependencies to obtain a[0] = (A [<!>]) ^ and then carry out the hereditary 
substitution proper as [<i>".A^/x"]„j0]B. A similar convention applies to the other forms of hereditary 
substitutions. 

Type approximation a,j3 ::= a | ^ j3 
Context approximation 7, i/A ::= • | 7,y:a[0] | 7,;c":_ 

The last form of context approximation, x":_ is needed when the approximate type of a;" is not available^ 
It does not arise directly from erasure. 

Types and contexts are related to type and context approximations via an erasure operation ()^ which 
we overload to work on types and contexts. 

(a)^ = a 

{P{'¥.N)y = P 

{YW'::A[^>%By = (A)"[(»F")"] ^ (B)^ 

{■)- = ■ 

(»P",x*:A[<I>'^]) = (»P")",x*^:(A)"[(<I>*) ] 



See the definition of [a] ^rl• {Xy" . M) in thie electronic appendix. 
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Herediatary substitution is given by the following equations. We overload the substitution operation 
to work on normal terms, neutral terms, substitutions, and contexts. 

[<J>«.Ar/x"]„[0] (N) = N' Hereditary substitution into A'' 

[<i>".A^/x"]„[0](/?) =/?' or M':a' Hereditary substitution into /? 
[<J>" JV/x"]o;[0](a) = a' Hereditary substitution composition 

[<i>" .N/x^jai^^i'^) Hereditary substitution into ^ 

Applying a substitution to a neutral term, may yield either a neutral term or a normal term together 
with a type approximation. In the latter case, we can simply drop the type approximation, since it is only 
necessary for guaranteeing that any reductions triggered when applying the substitution to a neutral term 
will terminate. 

Substitution into normal and neutral terms We present hereditary substitution for normal terms and 
neutral terms, substitutions and context. The definitions for types can be found in the appendix. 



Substitution into normal terms 

[<i>«.iV/x«]o,[0](A/.M) = A/.M' where [<i>".iV/x"]„[0](M) =M' if yt<n 
[4>".Af/x"]«[^](A/.M) = A/.M' where [<i>".A^/x"]„[0](M) =M' 

if/0FV(<i>".A^)and/t>n 
[^".N/x"]„[^]{R) = M if[<i>".A^/x«]„[0](/?)=M':a' 

[«J>".A^/y]„[^](Ar) fails otherwise 

Substitution into neutral terms 
[^".N/x"Ui^^ic) = c 

[^".N/x"]„[^]iA(^]) = N':a where[4>".iVA«]«[^]((7) = (7' 

and [o%iN)=N' 

[4>"-A^A1a[0](/[a]) = y'[o'] where[<i>«.A^A"]«[0](a) = a'if/7^x« 

[4>" -N/x"] a[^] {R i'i'' M) ) = R' {^><^ M') where [<!>" .N/^'\ «[^] {R) = R' 

and [6".A^/x"]„[0](M) =M' if k<n 

[<^.N/x"]a[^]{R{^KM)) = R' {^Km) where [<^.N /x"]a[^]{R) = R' if k> n 

[^".N/x"]ai^^{R{^KM)) = N":I5 where [<i>«.iV/x"]«[^](/?) = A/.Ar':y[VA] ^ jS 

andM' = [<!>«. A^/x"]„[0](M) 
mdN" = [^'.M'/y%^^]{N') 
if Y[xir] P < a[<^] and k<n 

[4>".A^/^]«[0] (R i'P'.M)) = N":I5 where (R) = X/ . N' -.riv] ^ j8 

andA^" = [4'^.M//]^[^](A^') 
if yIy] P < cc[(j)] and k>n 

[^".N/^]a[^]{R) fails otherwise 



Figure 2: Hereditary substitution on normal terms and neutral terms 
We define [4>".7^/x"]„[^](M) and [<I>".A^/x"]«[0](/?) by nested induction, first on the structure of the 
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type approximation cc[(j>] and second on the structure of the objects and R. In other words, we either go 
to a smaller type approximation (in which case the objects can become larger), or the type approximation 
remains the same and the objects become smaller We write a < [5 and a < j8 if a occurs in /3 (as a 
proper subexpression in the latter case). Such occurrences can be inside a context approximation Xj/ in 
the function approximation j3i [y] =^ Pi^ so we also write a < \j/ if a < (5 for some }^:j3 [y] in l/A, and we 
write a < j3 if a < j8 or a < i/A. 

When defining substitutions, we must be careful to take into account where multi-level variables 
are bound. For example, when applying [^.N/x"] to a lambda-abstraction A;c*.M, we must check for 
possible capture, if k>n. Recall that ^.N only binds variables up to level n locally and A'^ can still refer 
to variables greater or equal to n which have from 's perspective a global status. Therefore, if k>n, we 
must ensure that does not occur in the free variables of <i>".A^, written as FV(4>".A'^). If A: < n, then 
can in fact not appear in ^.N because all variables of level k are bound in 4>". Recall that all variables 
x"[a] exist as closures, and hence all variables in <!>" will be substituted for using a. 

When considering the substitution operation on neutral terms, two cases are interesting, applying the 
substitution to a variable and to an application. When we apply ^".N/x" to a variable j^[ct], we apply it 
to <7 obtaining o' as a result. If 7^ y , we simply return y'^[(j'] . If = ;c", i.e. n = k and y = x, then we 
must continue to apply a' to A'^ obtaining A^'. We then return N' : a, because y^[<y] may have occurred in 
a functional position, and we must trigger a /3 -reduction step, if it is apphed. 

Propagating the hereditary substitution [^".N/x"] through an application R (*P*^.M) is split into mul- 
tiple cases considering the level and the possible elimination of created redices. If A: < n, we need to 
apply the substitution not only to R but also to (<i>^.M), because M may refer to x"; otherwise, we only 
need to apply the substitution to R, because all occurrences of x" in M wee bound locally by 4>^. 

If applying the substitution to R produces a normal term Xy'^.N', then we must continue to substitute 
and replace )A with (4'*.M) in A^'. The approximate type annotations on the substitution guarantees that 
the approximate type of the lambda-abstraction is smaller than the approximate type of x", and hence 
this hereditary substitution will terminate. 

Single substitution into simultaneous substitutions Applying <i>".N/x" to a substitution a is done 
recursively and is straightforward, when we keep in mind the fact that all variables below k are bound 

within M when we encounter *P^.M. lfk>n, then applying the substitution ^.N/x" to W^.M will leave 
it unchanged. Only if k <n, we push the substitution ^".N/x" through M. When we encounter a'.Aj^ 
where y^ / x", we simply apply the substitution to a'. If we encounter <?', ax", then we must replace x" 
by «3>".A^. 



(j'^^>k j^/ ^jjere [6".A^/x"]„[^](M) = M' 

and [<i>".A^/x"]„[^](a) = o' if k<n 
o',^''.M where [<i>".A^/x"]„[0](a) = o' if k>n 
o^^^-N where [4)".A^/x"]„[0](a) = a' 
a', a/ where [6".Af/x"]«[^](a) = a' if jV^" 

Substitution into contexts Applying ^".N/x" to a context proceeds recursively on the structure of the 
context until we encounter a declaration x* where k>n. Because our contexts are ordered, we know that 
the remaining context cannot contain an occurrence of x". 



[^".N/x"]ai^^{G,^'^.M) = 

[<i>«.Af/x"]„[^](a,AX«) = 
[4>".^A"]«r^l(a,A/) = 
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[6".Ar/y]„[^](1',/:A[r*]) = 1",/:A'[r'*] where [4>".A^/x'']„[^](»F) = 

and [<i>".A^/x"]«[^](A[r'']) = A'[r'*] if it < n 
[4>".^A"]«[^](»F,/:A[r^]) = »I',/:A[r^] if k>n 

Simultaneous substitutions Similar to the single substitution operation, the simultanous substitution 
operation is indexed with the domain of o described by the approximate context 0. To define simulta- 
neous substitutions it is worth recalling how they arise: A simultaneous substitution a is associated with 
a variable x" which has type A [<!>"]. As a consequence, a provides instantiations for variables declared 
in «I>", i.e. variables up to level n. Any variable at level n or above is bound in the ambient context and 
a will not provide any substitutions for such variables. It thus makes sense to write any upper bound on 
a simultaneous substitution explicitly as in a'\ just as for contexts, but we generally choose to omit it. 
Defining the simultaneous substitution we must be careful to ensure that the usual substitution properties 
for simultaneous substitution holds — if^\-<y^^" and r|„ -H- 'I'" h 7 then r|„ -H- <I> h [crj^,/. r|„ is 
the ambient context which remains untouched by the simultanous substitution a. 

The typing rules act again as a guide in our definitions. For lambda-abstractions for instance, pushing 
a simultanous substition a" through Xy^M we need to distinguish cases based on the level: iik<n, then 
we must extend the substitution a with the identity mapping for From the typing rule for lambda- 
abstractions, we see that contexts are ordered and we insert the new declaration at its correct position 
using context merging. Similarly, we need to define substitution merging operation which will extend a 
and insert y'^ at its correct position. \ik>n, then a does not need to be extended as we push a" through 
the A -abstraction because the substituion ex" has no effect on variables above level n. 

For applications for instance, applying a simultaneous substitution a where F h a ctx should 

take R {^"\N) from the context m to the context F. This is justified in a straightforward manner by 
appealing to the induction hypothesis on the premises of the typing rule. However, we cannot directly 
appeal to the induction hypothesis in the second premise since the assumptions do not match the domain 
of a. If we want the substitution property to hold, we must define substitution chopping operation similar 
the context chopping operation together with an identity substitution for mapping the variables in <I>" to 
themselves. We therefore define chopping as (<j/)/a) |„ inductively on the structure of a and its domain \\f. 
Both for chopping off parts of a substitution and merging substitutions, we will resurrect the domain of 
the substitution to have access to the level of each variable for which the substitution provides a mapping. 
For convenience, we omit writing out the resurrected contexts during merging and chopping when they 
are understood. We also write F for and ^".N. 



Merging substitutions: C7/i/a -H- t/^ = p 

•/ -+4-7/0 = T 

a/i/A-H--/- = (7 

{o/y, F/x") F'//) = {{o/y, F/x") +{- t/0),F' if k<n 

(a/i/^, F'//) = {o/y+^{t/(1>, F'/y'')),F otiierwise 

Chopping substitutions: ((7/i/a)|„ = t 

{o/y, F//)\„ = {(7/y)\„ if k<n 

{(J/Y, F/y% = (y,F if k>n 
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The identity substitution, written as id(<i>) is the simple unrolling of <!> into a substitution: id(-) = • 
and id(<i>,x') = id(<i>), ajc'. Due to lack of space we omit the definition of simultanous substitution here 
(see appendix for the full definition). 

Properties of substitutions If the original term is not well-typed, a hereditary substitution, though 
terminating, cannot always return a meaningful term. In that case, we simply fail to return a result. Later 
we show that on well-typed terms, hereditary substitution always returns well-typed terms. 

Applying the substitution to an object will terminate because either we apply the substitution to a 
sub-expression or the objects we substitute are smaller. The following substitution property holds for 
types, terms, substitutions and contexts. 

Lemma 7 (Termination). 

1. If[^'".N/x%[^]{R) =M':p then /3 < a^]. 

2. .N / x'^\qi^\^^ (_) terminates, either by returning a result or failing after a finite number of steps. 
Lemma 8 (Identity extension). 

1. H a <^ O then ^> Vr x^:[o],^{A\r'']) h p +f x*^:A[r*^] where p = a/0 +f t.x^/x^. 

2. IfV h a O then ^ Vr [o]^T h p O -f-f T where p = o/^ Vr \d{y). 
Lemma 9 (Substitution property). 

1. IfA\„ ^ h a ^ and A\n ^ <I>" h 7 then A|„ ^ ^F" h [a]^{J). 

2. //»P|„ -H- hN^Aand »P,x":A[<I>"] h J then h ['^'\N /x"]a[<t,]{J). 

Note that in the case of type synthesis of terms, the conclusion of the statements depend on the result of 
the substitution, e.g.: 

(a) A|„ ^+^>"^R'^ [a]0C if [o]^R = R'. 

(b) A|„ -H-»F" hM^[o]^Cif[a]^R = M:awhere a = i[o]^Cy. 

The typing judgments are syntax-directed and therefore clearly decidable. Hereditary substitution 
always terminates, giving us a decision procedure for dependent typing. 

Theorem 10 (Decidability of Type Checking). 

All judgments in the dependent contextual modal type theory are decidable. 

3 Related Work 

Multi-level logics of contexts Contextual reasoning has been extensively studied for various applica- 
tions in AI. For example, Giunchiglia et al have explored contextual reasoning [9] and have investigated 
a multi-language hierarchical logic where we have an infinite level of multiple distinct languages. 

In flO| they introduce a class of multi-language systems which use a hierarchy of first-order lan- 
guages, each language containing names of the language below. Any two adjacent languages in the 
hierarchy are linked only by two bridge rules. The hierarchy is understood as an alternative to extend- 
ing modal logics with new modalities. Their goal is to provide a foundation to the implementation of 
"intelligent" reasoning systems. As the authors observe, we may use a different system to reason about 
a object logic (which may rely on induction) vs reasoning within a given object logic. Indexes encode 
information of the "locality of the reasoning", where the reasoning take place. This is similar in spirit to 
our use of level annotations on variables. 
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Multi-level meta-variables We motivated the multi-level system in the introduction with the need to 
model the dependency of holes on bound variables as well as meta-variables. This naturally leads to a 
multi-level system. This idea has played an important role in Sato et al [19] where the authors develop 
a multi-level calculus for meta-variables. As in our work, variables carry an index to indicate whether 
they are a bound variable, meta-variable, or a meta^-variable, etc. The main difference compared to our 
work is that the authors define a "textual" substitution which allows capture. This is unlike our capture- 
avoiding substitution operation. There are two main obstacles with textual substitutions. First, we will 
lose confluence. The second problem is that some reductions may get stuck. To address these problems 
the authors suggest to define reductions in such a way that it takes into account the different levels and 
keep track of arities of functions. This leads to a carefully engineered system which is confluent and 
strongly normalizing, although not very intuitive. We believe our framework is simpler. 

Gabbay and Lengrand ||6l |7l propose a multi-level calculus for meta-variables called the Lambda 
Context Calculus where variables are modeled via nominals. They also define two different kinds of 
substitutions: one, a capture-allowing substitution, i.e. a meta-variable of level n is allowed to capture 
names below n and two, a captrue-avoiding substitution for variables greater than n. This inherently leads 
to difficulties regarding confluence. Our work has one uniform capture-avoiding substitution operation 
leading to a more elegant calculus. 

Finally, we mention the work by Geuvers and Jogjov (see for example fE\). Open terms are rep- 
resented via a kind of meta-level Skolem function. However, in general reduction and instantiation of 
meta-variables (or holes) do not commute. This problem also arises in Bognar and de Vrijer ||3l. Our 
work resolves many of these aforementioned problems, since reduction and instantiation naturally com- 
mute and require no special treatment. 

Functional multi-level staged computation The division of programs into two stages has been studied 
intensively in partial evaluation and staged functional computation. Davies and Pfenning H proposed 
the use of the modal necessity operator to provide a type-theoretic foundation for staged computation 
and more specifically, run-time code generation. Abstractly, values of type DA stand for an (unevalu- 
ated) source expression. To avoid generating closures, contextual types may be used to generate "open" 
(unevaluated) source expressions |[T4l . An open source expression would then have type A [^F] to describe 
code of type A in a context *F. 

However, this two-level framework does not allow us to specify multi-level transition points (e.g. 
dynamic until stage n). For example, Gliick and J0rgensen [12. 11] propose a multi-level specialization 
to allow an accurate and fast multi-level binding-time analysis. This means that a given program can be 
optimized with respect to some inputs at an earlier stage, and others at later stages. Gliick and J0rgensen 
generalized two-level program generators into multi-level ones, called multi-level generating extensions. 
By this generalization, a generated code fragment can be used for different levels. Subsequently, Yuse 
and Igarashi ||22]| proposed a logical foundation for multi-level generating extensions based on linear 
time temporal logics. We believe that our framework of multi-level contextual types may be used as an 
alternative to generate open code which can be used at different levels and manage its dependency on 
previous levels cleanly. 

4 Conclusion 

We generalized and extended the original contextual type theory of Nanevski et al |[T4l . where we dis- 
tinguish between meta-variables and bound variables, to multiple levels. This streamlines the original 
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presentation with fewer typing rules, syntax and operations but with many of the same properties. Sub- 
stitutions are defined, checked applied and manipulated in exactly the same way as meta-substitutions, 
for instance. We believe our framework provides already a suitable foundation for formalizing contexts 
in theorem proving and functional programming. Unlike other attempts to provide a multi-level calculus, 
we believe our work which is based on contextual modal types avoids and simplifies many of the issues 
which arise such as capture-avoiding substitution and the related issues of confluence. 

While we have used a named calculus for expository purposes, the system also generalizes nicely a 
calculus based on de Bruijn indices and suspensions more typical of an implementation, such as that of 
Abel and Pientka |T|. Variables are then pairs of indexes into a substitution inside a stack of substitutions. 

We have shown that it is possible to express meta*^-terms in this generalized contextual type theory but 
have left largely untouched the question of how to attach a computational behaviour to such objects and 
compute with them. A first step towards representing computations is to move to a non-canonical calculus 
that permits arbitrary (typed) terms, to which we could attach arbitrary rewrite rules as in deduction 
modulo |5 |. We could then add meaningful recursors to some of the layers to write proofs by induction, 
or add more computational effects for a layer acting as a tactic layer for a programming and reasoning 
system such as Beluga. We would obtain a uniform framework for all of representations of syntax, proofs 
over these representations and tactics over these proofs. And indeed, such a system would be useful for 
implementing Beluga within Beluga itself. 
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